Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with - - PowerPoint PPT Presentation

▶

Sep 15, 2023 218 likes •468 views

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

SLIDE 1

Low Weight Discrete Logarithms and Subset Sum in 20.65n with Polynomial Memory

EUROCRYPT 2020, May 11.-15. 2020 Andre Esser and Alexander May Horst Görtz Institute for IT Security Ruhr University Bochum

SLIDE 2

Subset Sum Subset Sum Problem

Given: (a1, . . . , an, t, ω), where ai, t ∈ Z2n and ω ∈

0, 1

2

Find: e ∈ {0, 1}n : eiai = t mod 2n and ✇t(e) = ωn
Random instance: ai ∈R Z2n
Cryptanalytic applications (Decoding, LPN, SIS, DLP)
a := (a1, . . . , an)

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 2/18

SLIDE 3

A memoryless Meet-in-the-Middle

x: y:

n 2 n 4 n 4

= +

e:

n/2 f(x) := a, x mod 2

n 2

g(y) := t − a, y mod 2

n 2

search for collision

collision: a, x = t − a, y mod 2

n 2

t = a, x + y mod 2

n 2

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 3/18

SLIDE 4

Folklore Algorithm f g

1. search for collision

collision (x, y): a, x + y mod 2n

$ t

n 2

?

=

t 2. no repeat 2a. yes

ut: x + y

2b.

T = 20.75n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 4/18

SLIDE 5

The Representation Technique

f : g:

x y e

n/4 n/2 n/4 x

+

y

=

e

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18

SLIDE 6

The Representation Technique

f : g:

Goal: increase domain and #useful collisions x1 y1 e x2 y2

n/4 n/4 n/2 x

+

y

=

e

many representations

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18

SLIDE 7

The memoryless BCJ Algorithm

n/4 n/4

increased size ⇒ increased modulus more collisions many good collisions

T = #good Colls #all Colls −1 · TC = 20.72n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 6/18

SLIDE 8

Folklore vs. BCJ

0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 weight ω

log T n

Folklore BCJ 0.72

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 7/18

SLIDE 9

Discrete Logarithms (low weight) DLP

Given: group G with |G| ≈ 2n generated by g, β ∈ G and ω ∈

0, 1

2

Find: α = ❞❧♦❣gβ satisfying gα = β and wt(α) = ωn
Time lower bound

n

ωn

(MitM)

ω = 1

2 usual case

Pollard Rho (T = 20.5n, M =poly)

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 8/18

SLIDE 10

low-weight DLP Landscape

0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 weight ω

log T n

Folklore BCJ Pollard Lowerbound 0.72

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 9/18

SLIDE 11

Use of Carry Bits f1(x) := gx f2(y) := βg−y

search for collision

collision: gx+y = β = gα x y e + ωn =

ωn 2 ωn 2

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18

SLIDE 12

Use of Carry Bits f1(x) := gx f2(y) := βg−y

search for collision

collision: gx+y = β = gα + ωn = x y α x + y computed

ver Z (mod|G|)

ωn 2 +ε ωn 2 +ε

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18

SLIDE 13

Increase the Weight wt(x) = wt(y) = ωn

2 +ε = φ(ω)n 0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 weight ω φ(ω) ω/2

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 11/18

SLIDE 14

The new Algorithm

search for collision

f1(x) f2(y) x y

φ(ω)n φ(ω)n

increased domainsize ⇒ more Representations

T = #good Colls #all Colls −1 · TC = 2(H(ω)−H(φ)/2)n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 12/18

SLIDE 15

Updated low-weight DLP Landscape

0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 weight ω

log T n

Folklore BCJ New Alg. Pollard Lowerbound 0.72

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 13/18

SLIDE 16

A new Time-Memory-Tradeoff

search for collision

f1(x) f2(y) x y

φ(ω)n φ(ω)n

increased domain size ⇒ more representations

T = #good Colls #all Colls −1 · TC = 2(H(ω)−H(φ)/2)n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18

SLIDE 17

A new Time-Memory-Tradeoff

search for collision

f1(x) f2(y) x y

φ(ω)n φ(ω)n

increased domain size ⇒ more representations M =

#good Colls

#all Colls

−1 T = #good Colls #all Colls −1 · TC = 2

H(ω)n 2 Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18

SLIDE 18

Achieving the Square-Root Bound

0.1 0.2 0.3 0.4 0.5 0.25 0.5 weight ω time / memory exponent BCJ time BCJ memory New time New memory

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 15/18

SLIDE 19

Back to Subset Sum

1. search for collision $ repeat 2a. t no

?

=

yes

ut: x + y

2b. t

f g collision (x, y):a, x + y mod 2n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

SLIDE 20

Back to Subset Sum

1. search for collision v

h1(s) v s s

t

f g collision (x, y):a, x + y mod 2n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

SLIDE 21

Back to Subset Sum

1. search for collision v

h1(s) v s

t

collision: a, x1 + y1 mod 2n f1 g1

search for collision

a, x2 + y2 mod 2n

v’

h2(s) t − v′ s f2 g2

search for collision 2.

coll. ⇒ a, x1 + y1 + x2 + y2 = t mod 2n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

SLIDE 22

Nested Rhos

T =

#good Colls

#all Colls

−1

· TC = 20.65n

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 17/18

SLIDE 23

Results Group Subset Sum (low-weight) DLP Subset Sum Folklore BCJ Improved Algorithms improved poly memory reduced MitM memory Nested Collision Search 20.65n, poly memory

Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 18/18